Cisco patches switch hijacking hole – the one exploited by the CIA

Telnet security flaw fix finally lands – or just use SSH, yeah?

Cisco has patched a critical security flaw in its switches that can be potentially exploited by miscreants to hijack networks – a flaw disclosed in the Vault 7 leak of CIA files.

Switchzilla says the vulnerability, CVE-2017-3881, can be exploited remotely by simply establishing a Telnet connection and sending a cluster management protocol (CMP) command to the target equipment. There is a proof-of-concept exploit here.

"An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections," Cisco explains in its advisory on Monday.

"An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device."

Making matters worse is the fact that IOS and IOS XE, the firmware Cisco uses for its network appliances, do not limit CMP command access to local connections. This means any attacker who can establish a Telnet connection – such as across the internet – can send the malformed commands to trigger the exploit and either hijack the target device or just knock it offline.

The list of vulnerable switches numbers more than three hundred, and includes Cisco Catalyst, Embedded Services, and Industrial Ethernet switch models. The vulnerable CMP components is present and turned on in all versions of IOS, while some IOS XE devices might not have it enabled.

The flaw was among the revelations unearthed in March when Wikileaks dumped a trove of CIA hacking manuals dubbed Vault 7. Since the March revelation, Cisco has been advising admins to disable Telnet in favor of SSH connections.

On a 1-10 scale, Cisco scores the issue as 9.8 and has labeled it a critical risk. With no other mitigations available, aside from turning off Telnet, admins are urged to install the provided patch as soon as possible.